SMB send off unrelated memory contents

VULNERABILITY

libcurl can get tricked by a malicious SMB server to send off data it did not
intend to.

In libcurl's state machine function handling the SMB protocol
(smb_request_state()), two length and offset values are extracted from data
that has arrived over the network, and those values are subsequently used to
figure out what data range to send back.

The values are used and trusted without boundary checks and are just assumed
to be valid. This allows carefully handicrafted packages to trick libcurl into
responding and sending off data that was not intended. Or just crash if the
values cause libcurl to access invalid memory.

We are not aware of any exploit of this flaw.

INFO

This flaw can also affect the curl command line tool if a similar operation
series is made with that.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2015-3237 to this issue.